?
Solved

Cisco ASA Failover Issue

Posted on 2009-12-31
5
Medium Priority
?
1,592 Views
Last Modified: 2012-05-08
Hi,  I have an ASA 5510 configured for ISP failover on the backup interface via an IP SLA.  The failover kicks in when the primary connection goes down however, once in the the failover state we cannot surf the Internet.  We are able to ping the web properly.  This leads me to look at the ASA config as the probable issue.  Config is attached.
names
dns-guard
!
interface Ethernet0/0
 description Connected to Comcast
 nameif outside
 security-level 0
 ip address 75.144.138.43 255.255.255.248
!
interface Ethernet0/1
 description Connected to Internal LAN
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
 description Connected to MPLS Internet
 nameif backup
 security-level 0
 ip address 65.115.13.234 255.255.255.248
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.1.1.1 255.255.255.0
 management-only
!
ftp mode passive
dns server-group DefaultDNS
 domain-name xxx.com
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit tcp any host 75.144.138.43 eq imap
4
access-list outside_access_in extended permit tcp any host 65.115.13.234 eq imap
4
access-list outside_access_in extended permit tcp any host 75.144.138.43 eq http
s
access-list outside_access_in extended permit tcp any host 65.115.13.234 eq http
s
access-list outside_access_in extended permit tcp any host 75.144.138.43 eq www
access-list outside_access_in extended permit tcp any host 65.115.13.234 eq www
access-list outside_access_in extended permit tcp any host 75.144.138.43 eq smtp

access-list outside_access_in extended permit tcp any host 65.115.13.234 eq smtp

access-list outside_access_in extended permit tcp any host 75.144.138.42 eq 4445

access-list outside_access_in extended permit udp any host 75.144.138.42 eq 2200
5
access-list outside_access_in extended permit tcp any host 75.144.138.42 eq 2201
1
access-list outside_access_in extended permit tcp any host 75.144.138.42 eq www
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 172.18.1.0 255.2
55.255.0
access-list Outbound extended permit ip any any
pager lines 24
logging enable
logging trap warnings
logging history warnings
logging asdm informational
logging facility 23
mtu outside 1500
mtu inside 1500
mtu backup 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 63.229.110.116 255.255.255.252
nat (inside) 1 63.229.110.208 255.255.255.252
nat (inside) 1 63.229.110.228 255.255.255.252
nat (inside) 1 63.229.110.232 255.255.255.252
nat (inside) 1 63.237.187.20 255.255.255.252
nat (inside) 1 63.237.239.24 255.255.255.252
nat (inside) 1 172.25.0.0 255.255.0.0
nat (inside) 1 192.168.0.0 255.255.0.0
static (inside,outside) tcp interface www 192.168.1.22 www netmask 255.255.255.2
55
static (inside,backup) tcp interface www 192.168.1.22 www netmask 255.255.255.25
5
static (inside,outside) tcp interface https 192.168.1.22 https netmask 255.255.2
55.255
static (inside,backup) tcp interface https 192.168.1.22 https netmask 255.255.25
5.255
static (inside,outside) tcp interface imap4 192.168.1.22 imap4 netmask 255.255.2
55.255
static (inside,backup) tcp interface imap4 192.168.1.22 imap4 netmask 255.255.25
5.255
static (inside,outside) tcp interface smtp 192.168.1.22 smtp netmask 255.255.255
.255
static (inside,backup) tcp interface smtp 192.168.1.22 smtp netmask 255.255.255.
255
static (inside,outside) udp 75.144.138.42 22005 192.168.1.15 22005 netmask 255.2
55.255.255
static (inside,outside) tcp 75.144.138.42 22011 192.168.1.15 22011 netmask 255.2
55.255.255
static (inside,outside) tcp 75.144.138.42 www 192.168.1.15 www netmask 255.255.2
55.255
access-group outside_access_in in interface outside
access-group outside_access_in in interface backup
route outside 0.0.0.0 0.0.0.0 75.144.138.46 1 track 123
route backup 0.0.0.0 0.0.0.0 65.115.13.233 200
route outside 4.2.2.6 255.255.255.255 75.144.138.46 1
route inside 63.149.206.208 255.255.255.252 192.168.1.1 1
route inside 63.229.110.116 255.255.255.252 192.168.1.1 1
route inside 63.229.110.208 255.255.255.252 192.168.1.1 1
route inside 63.229.110.228 255.255.255.252 192.168.1.1 1
route inside 63.229.110.232 255.255.255.252 192.168.1.1 1
route inside 63.237.187.20 255.255.255.252 192.168.1.1 1
route inside 63.237.239.24 255.255.255.252 192.168.1.1 1
route inside 172.25.1.0 255.255.255.0 192.168.1.3 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside 192.168.7.0 255.255.255.0 192.168.1.1 1
route inside 192.168.9.0 255.255.255.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
sla monitor 1
 type echo protocol ipIcmpEcho 4.2.2.6 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
track 123 rtr 1 reachability
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 60
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect http
!
service-policy global_policy global
prompt hostname context

Open in new window

0
Comment
Question by:Minot
  • 3
5 Comments
 
LVL 3

Expert Comment

by:sudeep_mib
ID: 26158979
hi

you need to use track parameter in router cmd like this

route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1

--- Enter this command in order to track a static route.
!--- This is the static route to be installed in the routing
!--- table while the tracked object is reachable.  The value after
!--- the keyword "track" is a tracking ID you specify.

it means ASA will track this route if u r connection is up or not when this connection will go down it will
shift to backup link

for monitoring link u have to configure link monitoring on ASA

sla monitor 123
 type echo protocol ipIcmpEcho 10.0.0.1 interface outside
 num-packets 3
 frequency 10

it will Configure a new monitoring process with the ID 123.  Specify the
!--- monitoring protocol and the target network object whose availability the tracking
!--- process monitors.  Specify the number of packets to be sent with each poll.
!--- Specify the rate at which the monitor process repeats (in seconds).

schedule of monitoring

sla monitor schedule 123 life forever start-time now

!--- Schedule the monitoring process.  In this case the lifetime
!--- of the process is specified to be forever.  The process is scheduled to begin
!--- at the time this command is entered.  As configured, this command allows the
!--- monitoring configuration specified above to determine how often the testing
!--- occurs.  However, you can schedule this monitoring process to begin in the
!--- future and to only occur at specified times.


track 1 rtr 123 reachability

!--- Associate a tracked static route with the SLA monitoring process.
!--- The track ID corresponds to the track ID given to the static route to monitor:
!--- route outside 0.0.0.0 0.0.0.0 10.0.0.2 1 track 1
!--- "rtr" = Response Time Reporter entry.  123 is the ID of the SLA process
!--- defined above.


for more imformation there is cisco doc is availabele
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml 
0
 
LVL 3

Expert Comment

by:sudeep_mib
ID: 26159007
try changing timers

sla monitor 1
 type echo protocol ipIcmpEcho 4.2.2.6 interface outside
 num-packets 3
 frequency 5

or try using different ip address for monitoring sometimes it solves the issue
have you tested backup link?
Can you please put the "sh route" output
 


0
 
LVL 3

Expert Comment

by:sudeep_mib
ID: 26159011
Can you please provide us following outputs

show running-config sla monitor

show sla monitor configuration 123

show sla monitor operational-state 123

show sla monitor operational-state
0
 

Accepted Solution

by:
Minot earned 0 total points
ID: 26166624
Sorry for the delayed response.

I was able to resolve my own issue after some digging.  I will leave some notes here to hopefully help anyone who has the same issue.

As stated above, I was able to ping the internet but I could not surf while on the failover connection.

When I could not see any issues with my config I tested the Internet connection with a laptop and presto, the same condition applied.

I then dug around on the router and noted CRC errors on the PVC which serves the failover connection.  A phone call to the ISP revealed an issue with the timing commands on their side.  Basically my router was clipping the packets if they were of any size at all thus the ping but not surfing access.  

One the ISP resolved thier issues we were able to surf from the laptop and my failover began to function properly.

Thanks for you attempt to assist.

0
 

Expert Comment

by:danb13
ID: 37588265
Odd that this was your solution - you are missing a NAT statement on the backup interface.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question